For Customers

Support

Americas+1 212 318 2000

EMEA+44 20 7330 7500

Asia Pacific+65 6212 1000

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies.

A cookie is a piece of data stored by your browser or device that helps websites like this one recognize return visitors. We use cookies to give you the best experience on BNA.com. Some cookies are also necessary for the technical operation of our website. If you continue browsing, you agree to this site’s use of cookies.

Your HR and Payroll compliance and policy solution! Comply with federal, state, and international laws, find answers to your most challenging questions, get timely updates with email alerts, and more with our suite of products.

Oct. 19 — Companies unsure of how regulators will enforce the new European Union privacy regime
may soon be receiving official guidance, the head of the EU's official privacy regulator
group told Bloomberg BNA.

Isabelle Falque-Pierrotin, chairwoman of the Article 29 Working Party of privacy officials
from the 28 EU countries, said the group's initial guidance on enforcement, privacy
officer and data portability provisions of the EU General Data Protection Regulation
(GDPR) are slated for release before the end of 2016.

The GDPR, which replaces the 21-year old EU Data Protection Directive (95/46/EC),
is set to take effect May 25, 2018.

Companies need the guidance because “there are ambiguities in the GDPR text,” Falque-Pierrotin,
who is also president of the French privacy office, told Bloomberg BNA on the sidelines
of the 38th International Conference of Data Protection and Privacy Commissioners
in Marrakesh, Morocco. The goal is to “transform the text into an operational toolbox,”
she said.

Coming to “a common interpretation”
to keep intact the GDPR's goal of privacy harmonization is a challenge, Falque-Pierrotin
said. “The idea is really to keep to the harmonization direction of the GDPR through
these common guidelines.”

Falque-Pierrotin also discussed emerging plans for further GDPR guidance to be released
in 2017, including likely guidance on consent, the EU-U.S. Privacy Shield data transfer
framework and what Brexit may mean for privacy issues in the U.K. and EU.

Enforcement Guidance

The Art. 29 Party is “very much interested in setting out as clearly as possible the
enforcement procedures that we will have to use from May 2018,” Falque-Pierrotin said.

Guidance is necessary to explain new processes adopted in the GDPR, including setting
a lead authority for complaints and enforcement proceedings and a one-stop-shop approach
to privacy oversight and enforcement, she said.

Interpretive guidance is also needed on the GDPR provision on bilateral cooperation
among EU privacy regulators and the establishment of a European Data Protection Board
to resolve enforcement disputes, Falque-Pierrotin said.

“We have to work out how all these little bits should be articulated for the entire
enforcement procedure to be workable,” she said

Corporate Privacy Officers

The GDPR's provisions on privacy officers—called data protection officers (DPO) in
the regulation—are also priorities for the Art. 29 Party, Falque-Pierrotin said.

Companies have “a lot of different practical questions” about what they should do
to put a DPO in place, she said.

“The DPO is going to be a key tool for compliance,” she said. “The GDPR gives an
increased role to the DPO and a lot of companies are wondering in what circumstances
they have to have a DPO and what the position of the DPO in the organization should
be,” she said.

The GDPR introduces a new right of data portability to allow individuals to request
access to their personal data processed automatically by companies and, in some instances,
to have that data transferred to competitors, such as transferring mobile phone data
from one provider to another. The new right is “very important”
to individuals, so the Art. 29 Party is focusing carefully on the scope of the right
and how to implement it correctly, she said.

The Art. 29 Party is also working on privacy impact assessment guidance and compliance
certification procedures as part of its 2016 action plan and will probably issue guidance
the next plenary at the beginning of next year, Falque-Pierrotin said.

Proof of Consent

Although it is too early to say definitively what the Art. 29 Party will prioritize
for additional guidance to be issued in 2017, dealing with the new individual consent
standards in the GDPR is a likely subject, Falque-Pierrotin said.

The GDPR, for example, says that companies engaged in online marketing must provide
some kind of opt-in process and provide proof of consent, she said. Companies need
to know what the proof of consent standard will be well in advance of the effective
date of the GDPR, so they can develop internal tools, she said.

Guidance on the GDPR's consent and other provisions is particularly important for
smaller companies, Falque-Pierrotin said.

Small and medium-sized companies have traditionally had a more difficult time with
privacy requirements, she said. Startups “are closer to innovation and they are more
interested in using privacy protection as a lever for innovation,” she said.

“But for regular small and medium companies, we have the idea to develop some very
simple pedagogical tools,”
she said.

Overall, privacy awareness appears to be rising as the GDPR comes closer to its effective
date and that may be due to the large potential sanctions in the regulation, Falque-Pierrotin
said.

Privacy Shield Review

The Art. 29 Party won't have any further official comment on the EU-U.S. Privacy Shield
data transfer program until after the program has been in place for a year and evaluated
by the European Commission, Falque-Pierrotin said.

The Privacy Shield, which replaced the now defunct U.S.-EU Safe Harbor Program, allows
U.S. companies that self-certify with the U.S. Department of Commerce to comply with
privacy and security principles akin to those in EU law to send personal data of EU
citizens to those companies. It took effect in July.

The European Commission—the EU's administrative arm—is slated to complete its first
annual review of the Privacy Shield in summer or early fall of 2017. The commission
will evaluate whether the Privacy Shield is providing adequate privacy protection.

“What I can say as a representative of the Art. 29 Working Party is that we're going
to be very vigilant on the implementation of the Privacy Shield,” Falque-Pierrotin
said. The Working Party expressed concerns in July that the Privacy Shield might not
provide adequate privacy protection.

We are going to use the first year of implementation as a test period to verify if
there are grounds for these concerns,”
she said.

No Position on Brexit

The Art. 29 Party hasn't reached any conclusions about the U.K.'s move to leave the
EU, known as Brexit, Falque-Pierrotin said.

“We have been very cautious about the Brexit consequences for the privacy community.
We've said we will keep a neutral point of view and try to see how it evolves,”
she said.

The U.S.-EU Privacy Shield “is definitely a kind of standard for international data
flows between Europe and the rest of the world,” Falque-Pierrotin said. “So if the
U.K. decides really to leave Europe, it could be useful for the U.K. also,” she said.

All Bloomberg BNA treatises are available on standing order, which ensures you will always receive the most current edition of the book or supplement of the title you have ordered from Bloomberg BNA’s book division. As soon as a new supplement or edition is published (usually annually) for a title you’ve previously purchased and requested to be placed on standing order, we’ll ship it to you to review for 30 days without any obligation. During this period, you can either (a) honor the invoice and receive a 5% discount (in addition to any other discounts you may qualify for) off the then-current price of the update, plus shipping and handling or (b) return the book(s), in which case, your invoice will be cancelled upon receipt of the book(s). Call us for a prepaid UPS label for your return. It’s as simple and easy as that. Most importantly, standing orders mean you will never have to worry about the timeliness of the information you’re relying on. And, you may discontinue standing orders at any time by contacting us at 1.800.960.1220 or by sending an email to books@bna.com.

Put me on standing order at a 5% discount off list price of all future updates, in addition to any other discounts I may quality for. (Returnable within 30 days.)

Notify me when updates are available (No standing order will be created).

This Bloomberg BNA report is available on standing order, which ensures you will all receive the latest edition. This report is updated annually and we will send you the latest edition once it has been published. By signing up for standing order you will never have to worry about the timeliness of the information you need. And, you may discontinue standing orders at any time by contacting us at 1.800.372.1033, option 5, or by sending us an email to research@bna.com.

Put me on standing order

Notify me when new releases are available (no standing order will be created)